Recently, the California legislature passed AB 2269, which has now made its way to the Governor’s desk. The bill would effectively require ANY individuals or entities engaged in exchanging, transferring, storing, or other activities to obtain a license from the California Department of Financial Protection and Innovation (DFPI), and adhere to a host of specific criteria, limitations, and prohibitions.
What does this mean for the industry and why are so many in the crypto industry opposed?
In May 2022, Governor Newsom issued an executive order (EO) on cryptocurrency designed to “spur responsible web3 innovation, grow jobs, and protect consumers.” When the EO was first published, we at BitAML recognized this as a big step toward an ambitious regulatory vision that balanced innovation with consumer protection and a myriad of other priorities aimed at the greater good (e.g., job creation, research, and diversity/inclusion, etc.). The Governor’s EO envisioned fostering an environment that was both pro-innovation and pro-consumer; as opposed to other states that focused more on pro-business marketing and gimmickry.
In the background, AB 2269 was quietly making its way through the California State Assembly. Although introduced and later referred to the Banking and Finance Committee in March 2022, many viewed the bill as a longshot to make its way through the various committees and receive a floor vote, much less pass. On August 30, 2022, the bill did just that; passing with a 71-0 vote, before being subsequently delivered to the Governor’s desk where it now sits awaiting his signature or veto.
So, what exactly is in the bill and why the crypto industry (and the Governor) should be alarmed?
First and foremost, it is a one-sized fits all framework that would effectively require any crypto money transmitter to obtain a permission-based license with DFPI. While it is true that almost all states now regulate crypto exchangers, most recognize that not all can or ought to require a license. Generally, such a nuanced risk-based approach will mandate licensure for custodial exchangers (i.e., those that hold or have access to customer funds on the promise to make them available at a later time), while granting exemptions to non-custodial exchangers (i.e., those that do not hold or have access to funds, or merely facilitate a direct wallet-to-wallet exchange). The distinction in risk profile couldn’t be more stark and, thanks to some troubling recent headlines, more obvious.
Non-custodial business models in crypto are certainly not without their fair share of risks to be sure. But is it really fair to say our only choice in regulating crypto is a license requirement or nothing? We think there is a better way forward.
In our opinion…
Custodial business models should be required to obtain a license from the DFPI, while non-custodial business models should be required to register with the DFPI.
At present, the states that grant exemptions for non-custodial business models (sometimes referred to as “no action” states) simply convey their determination via regulatory agency website, guidance, or respond to so-called “no action letters” via email. While these various state regulatory agencies are often quite responsive and readily accessible, we think they’re missing an opportunity in that they don’t have a complete and accurate accounting of the crypto exchangers in their jurisdiction. Those that qualify for exemption may not reach out to the state regulator, and the agency may not be accurately and completely cataloging all of the inbound inquiries requesting confirmation of exempt status. The DFPI and California would be wise to consider implementing a registration system for non-custodial business models. Unlike a permission-based license, the registration would be much more of a declaration form, not all that different from FinCEN registration at the federal-level. With a more complete accounting of these non-custodial businesses, the DFPI could then cross-reference this registry with consumer complaints on file and other information to take appropriate action, whether in the form of an informational request letter or conducting a full examination.
Operationally, we think that this approach is much more prudent and realistic for the DFPI. In its current form, AB 2269 would in essence set up the DFPI to fail. Forcing virtually all crypto money transmitters operating in California and/or offering services to customers in California to apply for a license would create a line a mile long with thousands of individuals and entities based on the number of current participants in the marketplace.
The New York Department of Financial Services (NYDFS) “BitLicense,” a one-sized fits all crypto licensing framework presents a cautionary tale. Since rolling out the BitLicense in 2015, NYDFS has only issued 31 licenses, which means an average of less than five licenses are issued each year. That doesn’t mean there’s a shortage of applicants. In fact, many crypto companies have had an application pending with NYDFS for more than two or three years.
So, what does this mean for California? Potentially much worse.
Unlike New York, which is the fourth largest state, California has a much larger population, is a global hub of technology and innovation, and is often the first state within which crypto currency exchangers operate or onboard customers due to the current absence of any license requirement. Add to this, consider how many more cryptocurrency exchangers have been launched since 2015 and the rate of new entrants every day. All this to say, the stack of applications for a cryptocurrency money transmitter license in California would likely be exponentially higher than anything we’ve seen in New York if the state were to adopt AB 2269.
What’s more, those granted the BitLicense, and the many more patiently remaining in line, have by many accounts spent hundreds of thousands of dollars on legal, compliance, consulting, and other costs. So much for diversity, equity, and inclusion, which, by the way, is referenced in the seven priorities set forth by Governor Newsom in his Executive Order.
Separately, AB 2269 contained several limitations and prohibitions directed to specific aspects of the cryptocurrency industry. Perhaps most notably, the bill would require kiosk operators to implement a $1,000 per person, per day transaction limit. (The bill reads, “…electronic information processing device which accepts or dispenses cash when engaging in digital financial asset business activity…,” but let’s face it, this is directly aimed at kiosk operators.) This cap is likely a kneejerk legislative response to complaints from consumers who were scammed and ultimately paid the fraudsters via crypto currency purchased at a kiosk. It’s important to remember that kiosks offer customers a convenient method for purchasing cryptocurrency with transactions often completed in less than 30 seconds. Sadly, the bad guys enjoy the same benefits as the good guys.
More practically, a $1,000 per person, per day limit would unleash a plethora of unintended consequences. First, as a matter of compliance best practice, many if not most kiosk operators, utilizing a tier-based KYC, begin collecting and verifying customer identification at $1,000. As such, under AB 2269, operators would likely retain far less customer information that would ultimately be useful to law enforcement. Second, customers wishing to purchase more than $1,000 would simply engage in transactions with multiple different kiosk operators, which is much more difficult to track, form an understanding of the customer and their financial dealings, and ultimately decipher whether or not the behavior is suspicious and/or unusual. Third, cryptocurrency kiosk operators, now making far less money on transaction fees as a result of the cap, may decide to throw in the towel and close down their business.
Finally, several kiosk operators have begun offering exchange activities via a tablet or similar device in collaboration with third-party retail store owners. Unlike the kiosks, which are automated, the retail merchant partner accepts the cash from the customer and processes the purchase of the crypto. While operationally similar to a kiosk, at first glance it may not meet the definition of an “…electronic information processing device which accepts or dispenses cash when engaging in digital financial asset business activity…” In short, we’re concerned that such a directed effort to target kiosk operators may simply result in them identifying operational or fact pattern loopholes.
The one-sized fits all regulatory framework of California AB 2269 is a disaster waiting to happen. It neither protects consumers nor does it promote innovation within the cryptocurrency industry, which is the key nexus of Governor Newsom’s Executive Order, and as he rightfully points out, what California values. While state regulation of cryptocurrency money transmitters in California is necessary to protect consumers and ensure the state leads the way on innovation, a heavy-handed approach will deliver neither. Regulation must be risk-based, taking into account the unique risks posed to Californians, prescribing a realistic approach to mitigating these risks, and not tying the hands of regulators with unrealistic demands. It is our hope that AB 2269 is vetoed by the Governor, and the conversation starts anew about how best to truly balance consumer protection and innovation in cryptocurrency. In our opinion, we believe the state ought to adopt a two-prong, risk-based approach to regulating cryptocurrency exchangers that would mandate (1) permission-based licensure for custodial business models, and (2) a declaratory registration system for non-custodial business models